Complete Guide to GDPR: General Data Protection Regulation
Written by Rick Buck, Chief Privacy Officer, WireWheel
The General Data Protection Regulation (GDPR) was adopted on April 14, 2016 and went into effect on May 25, 2018. The GDPR governs data protection and privacy in the European Union and in the European Economic Activity (EEA).
The GDPR was the first comprehensive data privacy law and has inspired other legislations around the world from the California Consumer Privacy Act (CCPA) to Brazil’s Brazil’s Lei Geral de Proteção de Dados (LGPD).
Click here to access the full official text of the GDPR.
The GDPR went into effect on May 25, 2018.
The GDPR applies to both Data Controllers and Data Processors:
- Established in the EU that process personal data in the context of activities of the EU establishment, regardless of whether the data processing takes place within the EU,
- Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU, or monitoring their behavior.
Covered Personal Information
Under this EU Data Protection Law, Personal data is any information relating to an identified or identifiable data subject.
The GDPR prohibits the processing of defined special categories of personal data unless a lawful justification for processing applies.
The following personal data is considered ‘sensitive’ under the GDPR and is subject to specific processing conditions:
- Racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade-union membership,
- Genetic data,
- Biometric data processed solely to identify a human being,
- Health-related data,
- Sex life or sexual orientation.
Anonymous, De-identified, Pseudonymous, or Aggregated Data
Under the GDPR, Pseudonymous data is considered personal data.
Anonymous data is not considered personal data.
While the GDPR does not mention de-identified data, the CCPA definition is similar to GDPR’s concept of anonymous data.
The GDPR’s default age for consent is 16, although individual member state law may lower the age to no lower than 13. The person with parental responsibility must provide consent for children under the consent age.
Children must receive an age-appropriate privacy notice.
Children’s personal data is subject to heightened security requirements.
Under this privacy regulation, data controllers must provide detailed information about their personal data collection and data processing activities. The notice must include specific information depending on whether the data is collected directly from the data subject or a third party.
The GDPR introduced the following consumer rights:
- Right to information,
- Right to access,
- Right to rectification,
- Right to erasure,
- Right to restriction of processing,
- Right to data portability,
- Right to objection,
- Right to avoid automated decision-making.
The GDPR requires controllers to enter into contracts with processors to govern the processing of personal data by a processor on behalf of the controller. The contract should include:
- Type of data,
- Duration of processing,
- The rights and obligations of both parties, with specific obligations for the processor.
Data Protection Assessments
The GDPR Article 35, requires data protection assessments when processing personal data for certain functions such as targeted advertising, the sale of the data, certain types of profiling, the processing of sensitive data, and processing that presents a heightened risk of harm to consumers.
Transfer Impact Assessments are required for all transfers of sensitive data outside of the EEA.
Private Right of Action
The GDPR does have a provision for private rights of action.
Penalties and Damages
Under the GDPR, administrative fines can reach up to EUR 20 million or 4% of annual global revenue, whichever is highest
The GDPR does not provide a cure period.
The only way to be exempt from the GDPR is if you:
- Actively discourage the processing of data from EU data subjects (i.e., block your site in the EU),
- Process personal data of EU citizens outside the EU as long as you don’t directly target EU data subjects or monitor their behavior.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
The notification referred to in paragraph 1 shall at least:
a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b) communicate the name and contact details of the data protection officer or other contact points where more information can be obtained;
c) describe the likely consequences of the personal data breach;
d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
See how the GDPR compares to other privacy regulations such as CCPA, LGPD, and more on our interactive privacy table.
Suggested Blog Posts
Congressional testimony from a former Facebook employee has sparked outrage over the governance of the company’s...
Introduction ‘Personal Data’ has different legal definitions in the GDPR, CCPA in California, CDPA in Virginia, LGPD...
Last Updated: October 5, 2021What is a DSAR? Data Subject Access Requests (DSARs) give individuals (also known as data...
Written by Rick Buck, Chief Privacy Officer, WireWheelIntroduction to California’s Data Privacy Laws The California...
WireWheel’s Spokes 2021 conference included a panel of experts discussing current and emerging privacy laws around the...